Académique Documents
Professionnel Documents
Culture Documents
<Iris Levari>
<OWASP role>
<Amdocs>
<irisl@amdocs.com>
OWASP
<12/3/07>
What Is SOA
SOA life cycle & Security
SOA Generated Security Concerns /
opportunities
SSO & SSO Federation
WS Security Standard
OWASP 2
Agneda
What Is SOA
SOA life cycle & Security
SOA Generated Security Concerns /
opportunities
SSO & SSO Federation
WS Security Standard
OWASP 3
SOA Example
OWASP 4
SOA Key Terms
OWASP 5
SOA - Service Oriented Architecture
OWASP 6
Service Properties
Service is
Loosely coupled
High-level granularity
Self describing
Hardware or software platform interoperability
Discoverable
Service can be composed of other services
Context-independent
OWASP 7
Service Oriented Architecture - Advantages
& Disadvantages
Advantages
Maximize reuse
Reduce integration cost
Flexible & easily changed to reflect business process
change
Shortcomings
Message handling and parsing
Legacy application services wrapping
Complex service design and implementation
OWASP 8
SOA Example
OWASP 9
Agneda
What Is SOA
SOA life cycle & Security
SOA Generated Security Concerns /
opportunities
SSO & SSO Federation
WS Security Standard
OWASP 10
Business-Driven Development Methodology
OWASP 11
Security Encompasses all life cycle aspects
OWASP 12
Agneda
What Is SOA
SOA life cycle & Security
SOA Generated Security Concerns /
opportunities
SSO & SSO Federation
WS Security Standard
OWASP 13
New Security Threats
OWASP 14
Security Considerations
OWASP 16
Message Level Security vs. Transport Level Security
OWASP 17
Transport Layer Security
OWASP 18
Security in the Message
HTTP security (SSL) is point-to-point
Security Security
Context Context
| |
| |
| |
Sender Intermediary Receiver
Receiver
OWASP 19
Transport Security For Web Services Pros
and Cons
Pros Cons
Mature: SSL/VPN Point to point: messages are
in the clear after reaching
SSL endpoint
Supported by most servers Waypoint visibility: cant
and clients have partial visibility into the
message parts
Understood by most system Granularity
administrators
Pros Cons
Persistent message self- Encompasses many other
protecting standards including XML
encryption, XML signature,
X.509 certificates and more
OWASP 23
Converting Security into a Service
OWASP 25
Agneda
What Is SOA
SOA life cycle & Security
SOA Generated Security Concerns /
opportunities
SSO & SSO Federation
WS Security Standard
OWASP 26
Traditional SSO
OWASP 28
SOA SSO Federation Cont
OWASP 29
Agneda
What Is SOA
SOA life cycle & Security
SOA Generated Security Concerns /
opportunities
SSO & SSO Federation
WS Security Standard
OWASP 30
WS-security Standard
OWASP 31
Web Services Stack
OWASP 32
Web Services Security Architecture
OWASP 33
WS Security Building Blocks
Security Tokens
Username Token
Username Token with Password Digest
Binary Security Token
X.509 Version 3 certificates
Kerberos tickets
Signatures signs all or part of the soap body
Reference List or Encrypted Key
OWASP 34
Structure of a Basic Web Services Security
SOAP Header
OWASP 35
Structure of a Basic Web Services Security
SOAP Header (cont.)
OWASP 36
XML Encryption in WS-Security
OWASP 37
Providing Integrity
XML Signature in Web Services Security
XML Signature
Verify a security token or SAML assertion
Message integrity
XML syntax
Explicit <reference> element points to what is being
signed
One or more XML signatures
Overlapping is possible
OWASP 40